What also makes me suspicious is the fact that the file palemoon-20.3-installer.exe from archive.org is smaller in size and has different properties than the one from archive.palemoon.org - but strangely it has the same files with the same contents in it when unzipping (with utility unpacked, not by running or self-unpacking!). Is there something else hidden in the file palemoon-20.3-installer.exe from archive.palemoon.org ?

I only downloaded this file palemoon-20.3-installer.exe - I can't say anything about the other archived files.

Looks like there has been a data breach on the previous archive server on 27 Dec 2017 considering the date stamp on the files when all (reasonably modern) Pale Moon installer and portable executable files were changed and likely infected; considering the time stamps this has been done with a script. There has been no indication of a breach at all and all transfers were done over secure connections, so it looks like this was done through either local access or via a compromised remote session.

It seems to me that the hosting VM provider might not have (had) proper security in place to host the type of (Windows) VPS offered at the time; with the files having been transferred to a new solution when the previous one became corrupt (which I now suspect was also a malicious act by the same party and not, as thought, a hardware failure), the infected older files have, unfortunately, been retained in the new archive. Obviously, if you were to check the accompanying pgp .sig files for them they would fail the check, but not all versions of the archived binaries have been signed previously, including the 20.3 versions.

I will take the archive offline immediately and investigate further if possible, but considering the previous solution is no longer in production where this infection happened, it does not look like much more can be garnered from it.

"There will be times when the position you advocate, no matter how well framed and supported, will not be accepted by the public simply because you are who you are." -- Merrill Rose

@Karl, so this dropped file, what, that came about when attempting to run the infected installer (in a sandboxed environment)?

No. I've downloaded it to my desktop. Moved it with my mouse into a special folder for later transfer into a vm, a chattering contact in an old cheap mouse started it. Normally first step would have been renaming but i forgot. A window came up asking for my administrator password while another file was dropped onto the desktop, then i killed the system by cutting the power off. Started the dual boot linux for examination, found in %APPDATA% a new folder Blw with some files, two of them exe. Later i found a run entry in the registry to one of this executables.

I'm investigating as much as can be done, and will be posting a post mortem report for transparency.

Thank You for investigating.
A humble question: as a wrote in my opening post I didn't start or let self-extract the suspicious palemoon-20.3-installer.exe but I unpacked the contenting files with a 7zip-utility (Total Commander, packer extension "Total7zip.wcx"). Just to get sure, was I wright when I presumed that it's not supposable to get infected by merely unpacking palemoon-20.3-installer.exe with an utility

"Always look on the bright side of life"
»Eric Idle«

"The Asshole is an essential member of the human body - who despises it might mistakenly use the mouth in its place"»unknown platitudinarian«

The files inside the archives/installers were not modified. Just using a tool to extract the enclosed files is perfectly safe.
Only by running the installers or self-extractors (for portable) is there a risk for infection. As long as you don't actually run them, you are good.

"There will be times when the position you advocate, no matter how well framed and supported, will not be accepted by the public simply because you are who you are." -- Merrill Rose

Renaming it won't change the fact that for a while, old archived versions of the windows executables -were- trojan-infected and available to the public; although considering how long it took for this to come to light, I don't think the affected versions were downloaded a lot at all.

"There will be times when the position you advocate, no matter how well framed and supported, will not be accepted by the public simply because you are who you are." -- Merrill Rose

(While archive.palemoon.org is down, & .sig & "Digital Signatures" methods aside), do you have a listing of known good hashes that you could post so others questioning the validity of files they may have on hand can check against?

Thanks for the tip.Unfortunately it does not live up to its name, since hashing is incredibly slow -- I'll have to let it run overnight and hope that it's done when I get up.
OK so that's really weird. I interrupted it because it should only hash the .exes -- and when indicating that and restarting the process it was suddenly fast at hashing...?

I looked at hashmyfiles and it refused to traverse subdirectories, and the output was MUCH too verbose to be useful.

"There will be times when the position you advocate, no matter how well framed and supported, will not be accepted by the public simply because you are who you are." -- Merrill Rose